CVE-2023-47359 (CVSS 9.8): Critical VLC Media Player Vulnerability
VideoLAN has released VLC Media Player 3.0.20, which includes fixes for two critical security vulnerabilities. These vulnerabilities could have allowed attackers to take control of affected systems.
The first vulnerability, CVE-2023-47359, is a heap-based buffer overflow vulnerability that could allow attackers to execute arbitrary code on affected systems. This vulnerability is rated as critical by the Common Vulnerability Scoring System (CVSS) with a score of 9.8.
The vulnerability is caused by an incorrect offset read in the GetPacket() function. This function is responsible for reading packets from a media stream. If an attacker can provide a specially crafted packet, they can cause the GetPacket() function to read past the end of the allocated buffer. This can allow the attacker to overwrite memory in the heap, which can then be used to execute arbitrary code.
The second vulnerability, CVE-2023-47360, is an integer underflow vulnerability that could allow attackers to cause denial-of-service attacks. This vulnerability is rated as high by the CVSS with a score of 7.5.
The vulnerability is caused by an incorrect packet length calculation. If an attacker can provide a packet with a negative length, the VLC Media Player will attempt to allocate a buffer that is too small. This can cause the VLC Media Player to crash.
Two vulnerabilities were discovered by security researcher 0xariana. 0xariana has also published technical details for these vulnerabilities.
The Microsoft Media Server (MMS) protocol is a proprietary network-streaming protocol that is used to transfer unicast data in Windows Media Services. MMS can be transported via UDP or TCP. The MMS default port is UDP/TCP 1755.
The two vulnerabilities that were fixed in VLC Media Player 3.0.20 are related to the way that VLC Media Player handles MMS packets.